hi smooge ! thanks for sponsor me ! hvivani no problem. My apologies for not doign a good job about this but with nirik now taking over my time to sponsor and help people will grow ok, i have been too busy too did you read the email regarding the #1631 ticket ? I have had it in my queue for a bit. Let me reread to freshen the memory you were about to create a couple of virtual machines for testing that ok, maybe you have new goals on the road sorry google is being slow.. give me 4 minutes on publictest8, at /etc/sysconfig are the ip6tables that I have translated the ip6tables service is up and running there caught up. thanks (take your time, I am doing other tasks meanwhile) ok here is the first thing I found out this weekend. ip6tables for RHEL5 does not have state # Established connections allowed -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT will not work as expected ohh, that is important so, we have to wait to RHEL6 ? well what we need to do is make the puppet template aware of the version and put the line in or not ok, I should find out how to do that basically I think the other templates somewhere will have variable names used in it to key items.. I would find the one that we use elsewhere for RHEL and 6 and use that. ok, good the second item while useful eventually most of the drop/accepts for hosts are not going to work well. PHX2 does not have ipv6 access and if we added a ipv6 tunnel the ips would change. I think we can comment out most of the items, and what we want to queue is "We only accept the ports asked for and possibly noc." thats because of the way I translate the addresses ? no the translations look good from my minimal knowledge. but we can't send ipv6 packets over to it so its not going to see them. and any it did see would be "fraudulent" somehow and not what we want to accept. ok I understand so, you think we are complicating our lifes right now with this ticket on this server ? now as figure out ways to get those packets across we would open things up. so the work I don't think is in anyway "wasted". ok no I think its a good first stage. The next stage is to work on a puppet module we can push data to that takes variables like the iptables one and then makes a custom iptables6 for el5 or el6 and what hosts we know we can accept packets from ok, understood where whould be worked this puppet module ? puppet git repo: puppet/modules/iptables is where the iptables one is.. an ip6tables would be where the new stuff would go thats on bastion.fedoraproject.org --> ssh puppet01 correct follow the SOP on checking it out. yes, i have the puppet checked out, I have configured my user on nagios Stephen, you are saying that I should create /puppet/modules/ip6tables and begin working there. Do I understood ? looks like a basic ip6tavles module was created at some point.. not sure what state or work it is in oh looks like I created it in the beginning of march for you. so you don't need to create anything beyond the init.pp files and tempaltes which you should be able to base on the existing iptables module but with more logic per OS i need to get some food before my blood sugar crashes again today. be back soon